The access file

The access file should contain a list of lines with 3 colon-separated fields:

<key label or key alias> : <host or host alias> : <account or account alias>

Aliases may present a grouping of names and start with an ‘@’ (Perl array syntax), otherwise singular names should be used. The host alias and account alias fields may contain a list comma-separated singular names or aliases. Key label(s) should match the key labels used in the key (group) files (in keys.d/*)

Lines prefixed by ‘#’ are considered comment lines and are ignored during processing.

Examples:

John_Doe        : 	foo1,foo2	:	dteadm

→ grants the owner of public key John_Doe access to the local account dteadm on hosts foo1 and foo2

@dte_devs       : @dev_hosts	        :	dteadm

→ grants the owners of all the public keys in the @dte_devs group to the local account dteadm on all hosts in the dev_hosts group

@dte_devs       : @dev_hosts	        :	@dev_accounts

→ grants the owners of all the public keys in the @dte_devs group to all local account(s) in the dev_accounts group on all hosts in the dev_hosts group

The alias file

The alias file should contain a list of lines with 2 colon-separated fields:

<alias identifier> : <alias member 1>, <alias member 2>, …

Alias identifiers should always start with an ‘@’ (Perl array syntax) to indicate their grouping status. Alias members may be an alias (groups) themselves (max. nesting of 5 levels deep). All aliases should unique across the entire SSH Controls namespace.

Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.

Examples:

@dev_hosts	   :	foo1,foo2

→ means the dev_hosts group contains items foo1 & foo2. In this case they would represent a group of servers.

@dte_devs          : 	@dev_admin,John_Doe,Jane_Doe

→ means the dte_devs group contains all persons in the dev_admin group and the users John_Doe and Jane_Doe

The targets file

The targets file should contain a list of host names **and/or @alias names**, one per line.

Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.

The keys file(s)

The keys file(s) should contain a list pre-formatted SSH public keys and info:

<key label>, <key type>, <key string>

Examples:

John_Doe, ssh-rsa, AAAAB3NzaC1yc2EAAAABJQAAAQEA1lDB+2r82ZyuJH9kYs1mtLGgDvQH1zeUf6
UKNlVWD9++Bm/iFYuKdZxnEv8BmcMXEmWzeOEW7knCbrFqeOsDIB7IuOYjVsI5QpKg1PIY6S8Q==

Each key entry should be exactly on ONE line. Lines prefixed by ‘#’ are considered comments lines and are ignored during processing.

The easiest way to use the convert_pubkey.pl script to re-format into SSH Controls format

[master:/]$ /etc/ssh_master/convert_pubkey.pl --file=<key_file> --label="<key_label>"

Please do not use key labels with spaces (use underscores instead). You can store the output of the above command in either a single file (i.e. the keys file) OR in individual files located in a keys.d directory):

  1. A keys file:
[master:/etc/ssh_master]$ ls -l keys
-rw-r--r--    1 sshadmin     sshadmin        97344 Mar 29 10:57 keys

[master:/etc/ssh_master]$ cat keys
John_Doe, ssh-rsa, AAAAB3NzaC1yc2EAAAABJQAAAQEA1lDB+2r82ZyuJH9kYs1mtLGgDvQH1zeUf6UK
NlVWD9++Bm/iFYuKdZxnEv8BmcMXEmWzeOEW7knCbrFqeOsDIB7IuOYjVsI5QpKg1PIY6S8Q==
Jane Doe, ssh-rsa, AAAAB3NzaC1yc2EAAAABJQAAAQB+7nymWVZwg3Njpf+Jp5VqDJUoKy/ypDtTR3Jg
ro7GWlihGxgUz3Jk8eew5GEze0LELEL67qq==

Note: key entries are split over multiple lines here to enhance readability.

  1. A keys.d directory:
[master:/etc/ssh_master]$ ls -l keys.d/*
-rw-r--r--    1 sshadmin     sshadmin        367 Mar 29 10:57 johndoe
-rw-r--r--    1 sshadmin     sshadmin        372 Mar 29 10:57 janedoe
-rw-r--r--    1 sshadmin     sshadmin        429 Mar 29 10:57 peterpan
-rw-r--r--    1 sshadmin     sshadmin        582 Mar 29 10:57 captainhook

Individual files inside the keys.d directory may themselves also contain multiple keys. This allows for key grouping. Key files may have an optional file extension, e.g. test_user.keys

Updated:

Leave a comment